Given some recent conversations I’ve had on the topic of “What’s Hot and What’s Not in the World of Security”, I thought it would be timely to write a series of blogs on “Free Stuff”. And I’m not talking about the big bag of security chotchkies you picked up at the last RSA convention- a person can only use so many rubber penguins! - I’m talking real, useful, save-your-business, move-you-closer-to-five-nines kind of free stuff.
Business Continuity Planning and Security go hand in hand. If you’re familiar with CIA (no, not the government agency!), then you know that the “A” is for “Availability”. Good security is making sure that your data is always available when you need it to be. If I’ve said it once….You can spend all the money you want on tools and technology -and yes, they are critical! - but they mean nothing unless you’re also implementing a couple of simple, common sense ‘best practices” that cost you nothing! I’ll start with one of my favorites; something that you can start doing today without waiting for the next budget cycle or equipment forecast! Of course, you might want to run it through your change management process just be on the safe side ;-)
But first, a little trip down geek-memory lane. I remember how excited we all were when our Digital Tru64 UNIX Alpha Server hit the three year mark without any down time! All up- all the time. Pretty impressive! Three years with no problems or interruptions at all, just kept on ticking! Impressive! TSC – that was the system name though I have no idea what meaning, if any, the acronym had - was the primary in a two node active/passive cluster and it was where we kept all of our important documentation and everything else we needed to keep our business going. Three years. Never down. Maybe TSC meant “The Super Computer”. Who knows.
Now, looking back through a wiser (and older) set of eyes, I ask myself: “What the heck were we thinking?!!” Did we never even consider what would happen if it did go down? Would it come back up? Would the backup server take over? Was the backup server even working as we assumed it was out there quietly in the shadow of “The Super Computer”? Would we lose valuable data? Was there some hardware ‘thing’ that might have been teetering on the brink until it went through a power down? We had no idea what would happen in the event of an unplanned outage because we were so excited about seeing how long it would keep running! For all I know – it’s STILL running! But we weren’t security people – for us it was the thrill of infinite uptime! - we never considered the security implications of how prepared we were -or were not - for an unexpected outage!
Well this is a simple problem with a remediation that is easy and free and applies to anything in your environment that you consider (and hope) to be redundant: You need to schedule regular reboots. No, not only for when it’s necessary for a software update. I’m talking Regular! As in monthly! WHAT??
It’s critical that you proactively test your redundant system’s, firewall’s, router’s, etc’s ability to fail over and/or come back after an outage. Test your cluster failover to shake out potential issues with your secondary. In fact, trade off active/passive roles every other month. Unplug your primary power supply to make sure the backup backs it up! Don’t let the first test of your redundant environment be in an emergency! If you don’t test it, it may NOT be redundant at all!
While it might seem like a contradiction to suggest that you take “stuff” down to ensure that it stays up, it just takes one failure of redundancy to understand why it makes perfect business sense! And while it does mean that you’ll never get to break “The Super Computer’s” record, you’ll be that much closer to achieving the availability your business demands! And, what makes it all the better, it’s free stuff!